Malware Analysis — WannaCry
In the previous article, we analyzed an Android malware (DroidDream) for a change. Now, we’re back to Windows malware and a very famous one at that! Many people have heard about the ransomware that we’ll be analyzing today — WannaCry. Unlike my other malware analysis related articles, I’ll be focusing solely on code analysis. I’ve not included any dynamic analysis information in this article.
Note 1: I highly recommend reading my article on Infostealer.Dyre before reading this post. I’ve explained the test lab setup and basic malware analysis process in detail and that information will not be repeated in every article.
Analysis
Dropper Static Analysis
SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
What kind of file is it?
The dropper is a Microsoft Visual C++ PE with a compilation timestamp of Sat Nov 20 04:03:08 2010. Fortunately, it’s not packed/encrypted. This information can be seen in the tool, Detect-It-Easy (die).
What are some interesting imports?
Some interesting imports include GetProcAddress, GetModuleHandleA, RegisterServiceCtrlHandlerA, CreateServiceA, RegSetValueEx, CryptGenRandom, CreateFileA, ReadFile.
These imports can be seen in PEstudio. These suggest that the sample is involved in dynamic function imports, registry key-value pair modifications, cryptography and file system operations.
What are some interesting cleartext strings?
Some cleartext strings include mssecsvc.exe, tasksche.exe, http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, Global\MsWinZonesCacheCounterMutex, icacls . /grant Everyone:F /T /C /Q, attrib +h .
These strings can be seen in PEstudio. We can see a URL (which we’ll see later is the famous WannaCry kill-switch), mutex that the sample uses and file/directory attributes modifications.
Does the sample have any embedded resources?
Yes, the sample has an embedded executable. This resource can be found using the tool, ResourceHacker.
Dropper Code Analysis
The dropper exits if the URL, http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is available.
When the dropper is executed for the first time without any arguments, it installs/starts a service named, “Microsoft Security Center (2.0) Service” with the arguments, “-m security”. The service binary is the dropper itself.
After starting the service, the dropper loads the embedded resource (R1831 AKA tasksche.exe), writes the content into C:\WINDOWS\tasksche.exe and starts it as a process.
The service, “Microsoft Security Center (2.0) Service” which when started with “-m security” arguments begins to exploit EternalBlue and DoublePulsar vulnerabilities on other connected computers through its ServiceMain function. This constitutes the propagation mechanism of WannaCry.
tasksche.exe Code Analysis
SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
First, tasksche.exe gets the local computer name and obfuscates it.
If it is started with “/i” argument:
- It copies itself to “C:\ProgramData\<obfuscatedComputerName>\tasksche.exe”.
- After the copy, it tries to start C:\ProgramData\<obfuscatedComputerName>\tasksche.exe as a service. If it fails, it tries to start it as a process.
- If the system has a global mutex named, “MsWinZonesCacheCounterMutex”, then tasksche.exe exits. The presence of this mutex indicates that a sample of WannaCry is already active on the system.
Next, an embedded ZIP file is extracted using the password, WNcry@2ol7. The contents are extracted in the directory where tasksche.exe is located.
tasksche.exe then loads bitcoin wallet addresses.
It reads c.wnry which contains TOR zip information, its configuration data and multiple .onion addresses:
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
It changes the attributes of the files/directory where the zip files were extracted into. It hides the contents of that directory and grants full access to all files in the directory to all users.
It retrieves the cryptographic key provider — Microsoft Enhanced RSA and AES Cryptographic Provider.
tasksche.exe starts reading t.wnry. It determines the integrity of t.wnry by checking if the first 8 bytes of the file is WANACRY!
It proceeds to read the encrypted AES key which is decrypted using the hard-coded public key present in tasksche.exe. The decrypted AES key is then used to decrypt a DLL in memory. The decrypted DLL code is then copied over to the heap.
Next, the function TaskStart (exported by the DLL) is called. This function does the following actions through threads:
- Retrieve the public key used to encrypt files on the system,
- Create a global mutex named, “MsWinZonesCacheCounterMutex”,
- Set the registry key-value pair: “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\<obfuscatedComputerName> = <tasksche.exeFilePath>”,
- Encrypt files on the system.
- Rename file extensions to .WNCRY. (It also has code for attaching other extensions like .WNCRYT and .WNCYR.), and
- Start multiple processes — taskdl.exe, taskse.exe and @WanaDecryptor@.exe
Other Dropped Files
taskse.exe
Responsible for enumerating all active RDP sessions and executing tasksche.exe in each session.
@WanaCryptor@.exe (AKA u.wnry)
Responsible for showing the timer and payment window.
taskdl.exe
I did not analyze the code for this EXE. FireEye states in their blog that this binary is used for deleting temporary files.
r.wnry
Shows the ransom message.
s.wnry
Contains TOR executable.
msg/
Contains language files.
Other dropped files include f.wnry and b.wnry whose functions/usage I’ve not explored.
YARA Rules
Creation
root@malnet:/opt/yarGen-0.21.2# python yarGen.py --opcodes -a "Nikhil Hegde" --oe --score -m /root/malware/Wannacry/dropper.bin/
###############################################################################
______
__ ______ ______/ ____/__ ____
/ / / / __ `/ ___/ / __/ _ \/ __ \
/ /_/ / /_/ / / / /_/ / __/ / / /
\__, /\__,_/_/ \____/\___/_/ /_/
/____/Yara Rule Generator by Florian Roth
December 2018
Version 0.21.1###############################################################################
[+] Using identifier 'dropper.bin'
[+] Using reference 'https://github.com/Neo23x0/yarGen'
[+] Using prefix 'dropper.bin'
[+] Processing PEStudio strings ...
[+] Reading goodware strings from database 'good-strings.db' and 'good-opcodes.db' ...
(This could take some time and uses at least 6 GB of RAM)
[+] Loading ./dbs/good-strings-part4.db ...
...
...
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058.zip ...
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/c.wnry ...
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/b.wnry ...
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/r.wnry ...
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/t.wnry ...
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/u.exe ...
[-] Extracting OpCodes: /root/malware/Wannacry/dropper.bin/XIA2058/u.exe
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/taskdl.exe ...
[-] Extracting OpCodes: /root/malware/Wannacry/dropper.bin/XIA2058/taskdl.exe
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/s.zip ...
[+] Processing /root/malware/Wannacry/dropper.bin/XIA2058/taskse.exe ...
[-] Extracting OpCodes: /root/malware/Wannacry/dropper.bin/XIA2058/taskse.exe
...
...
[+] Generating Super Rules ... (a lot of foo magic)
[-] Adding Super Rule with 5721 strings.
[-] Adding Super Rule with 29 strings.
[+] Generating Simple Rules ...
[-] Applying intelligent filters to string findings ...
[-] Filtering string set for /root/malware/Wannacry/dropper.bin/dropper.exe ...
[-] Filtering opcode set for /root/malware/Wannacry/dropper.bin/dropper.exe ...
[-] Filtering string set for /root/malware/Wannacry/dropper.bin/XIA2058/u.exe ...
[-] Filtering opcode set for /root/malware/Wannacry/dropper.bin/XIA2058/u.exe ...
[-] Filtering string set for /root/malware/Wannacry/dropper.bin/XIA2058/taskse.exe ...
[-] Filtering opcode set for /root/malware/Wannacry/dropper.bin/XIA2058/taskse.exe ...
[-] Filtering string set for /root/malware/Wannacry/dropper.bin/XIA2058/taskdl.exe ...
[-] Filtering opcode set for /root/malware/Wannacry/dropper.bin/XIA2058/taskdl.exe ...
[-] Filtering string set for /root/malware/Wannacry/dropper.bin/R1831.exe ...
[-] Filtering opcode set for /root/malware/Wannacry/dropper.bin/R1831.exe ...
[+] Generating Super Rules ...
[=] Generated 5 SIMPLE rules.
[=] Generated 2 SUPER rules.
[=] All rules written to yargen_rules.yar
[+] yarGen run finished
Verification
root@malnet:~/malware/Wannacry/dropper.bin# yara -r yargen_rules.yar .
_root_malware_Wannacry_dropper_bin_XIA2058_taskse ./XIA2058/taskse.exe
_root_malware_Wannacry_dropper_bin_XIA2058_taskdl ./XIA2058/taskdl.exe
_root_malware_Wannacry_dropper_bin_XIA2058_u ./XIA2058/u.exe
_dropper_R1831_u_1 ./XIA2058/u.exe
_root_malware_Wannacry_dropper_bin_dropper ./R1831.exe
_root_malware_Wannacry_dropper_bin_R1831 ./R1831.exe
_dropper_R1831_0 ./R1831.exe
_root_malware_Wannacry_dropper_bin_dropper ./dropper.exe
_root_malware_Wannacry_dropper_bin_R1831 ./dropper.exe
_dropper_R1831_0 ./dropper.exeSHA256 Hashes
- Dropper: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
- tasksche.exe: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- taskdl.exe: 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
- taskse.exe: 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
- @WanaCryptor@.exe: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
Thanks for reading!
In this article, I described my analysis for the ransomware — WannaCry. It wasn’t easy and it took me many days to analyze the sample. This is the first time I’ve described assembly program analysis and as such, I’ve minimized the details to keep the article from becoming too lengthy.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credits: https://hackersonlineclub.com/malware-analysis/
P.S. I also write on my blog https://0x90sploiter.wordpress.com.
